CVE-2026-1656 Overview
The Business Directory Plugin for WordPress contains an authorization bypass vulnerability due to a missing authorization check in all versions up to, and including, 6.4.20. This vulnerability allows unauthenticated attackers to modify arbitrary listings, including changing titles, content, and email addresses, by directly referencing the listing ID in crafted requests to the wpbdp_ajax AJAX action.
Critical Impact
Unauthenticated attackers can modify any business directory listing without authorization, potentially compromising business information, contact details, and content integrity across the entire WordPress directory.
Affected Products
- Business Directory Plugin for WordPress versions up to and including 6.4.20
Discovery Timeline
- 2026-02-18 - CVE-2026-1656 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-1656
Vulnerability Analysis
This authorization bypass vulnerability (CWE-862: Missing Authorization) exists in the Business Directory Plugin's AJAX handling functionality. The core issue stems from the plugin failing to verify whether the requesting user has appropriate permissions before processing listing modification requests.
When a request is made to the wpbdp_ajax AJAX action with a listing ID, the plugin processes the modification without validating that the requester owns the listing or has administrative privileges. This architectural flaw means any unauthenticated user who knows or guesses a valid listing ID can submit crafted requests to alter that listing's data.
The vulnerability is particularly concerning because it affects the integrity of business information. Attackers could modify contact email addresses to redirect communications, change business descriptions to include malicious content or links, or alter titles to damage brand reputation.
Root Cause
The root cause is a missing authorization check in the class-authenticated-listing-view.php file within the plugin's helpers directory. The vulnerable code at line 20 fails to implement proper capability checks or ownership validation before allowing listing modifications through the AJAX handler.
This represents a common WordPress plugin security anti-pattern where AJAX endpoints are exposed without implementing the check_ajax_referer() function or current_user_can() capability checks that WordPress provides for authorization enforcement.
Attack Vector
The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker only needs to identify valid listing IDs, which can often be enumerated through the public-facing directory pages, and then craft malicious POST requests to the WordPress AJAX endpoint.
The attack flow involves sending a POST request to /wp-admin/admin-ajax.php with the action parameter set to wpbdp_ajax, along with a target listing ID and the modified field values. Since no nonce verification or capability check is performed, the backend processes the request and updates the listing data in the database.
Detection Methods for CVE-2026-1656
Indicators of Compromise
- Unexpected modifications to business directory listings without corresponding authenticated user sessions
- AJAX requests to wpbdp_ajax action from unauthenticated sources attempting listing modifications
- Multiple rapid listing modification attempts from single IP addresses
- Changes to listing email addresses or contact information without owner action
Detection Strategies
- Monitor WordPress AJAX endpoint logs for unauthenticated requests containing action=wpbdp_ajax with listing modification parameters
- Implement file integrity monitoring on the Business Directory Plugin files to detect unauthorized changes
- Review web server access logs for suspicious patterns of POST requests to admin-ajax.php targeting directory listings
- Set up database monitoring to track changes to the wpbdp_listings table and correlate with authenticated sessions
Monitoring Recommendations
- Configure Web Application Firewall (WAF) rules to detect and block unauthenticated AJAX requests attempting listing modifications
- Enable WordPress audit logging to track all listing changes with associated user context
- Implement rate limiting on AJAX endpoints to prevent enumeration and mass modification attempts
How to Mitigate CVE-2026-1656
Immediate Actions Required
- Update the Business Directory Plugin to version 6.4.21 or later immediately
- Review all business directory listings for unauthorized modifications since plugin installation
- Check listing email addresses and contact information for unexpected changes
- Temporarily disable the plugin if immediate update is not possible
Patch Information
The vulnerability has been patched in version 6.4.21 of the Business Directory Plugin. The patch changeset implements proper authorization checks before processing listing modification requests. Site administrators should update through the WordPress plugin dashboard or by downloading the latest version from the WordPress Plugin Directory.
For additional technical details, refer to the Wordfence Vulnerability Report.
Workarounds
- Restrict access to admin-ajax.php at the web server level for unauthenticated users if the plugin's functionality is not required for public submissions
- Implement WAF rules to block POST requests to the AJAX endpoint containing wpbdp_ajax action from unauthenticated sources
- Consider temporarily disabling the plugin until the update can be applied
- Use server-level access controls to limit AJAX endpoint access to authenticated WordPress users only
# Apache .htaccess configuration to restrict AJAX access
# Place in WordPress root directory
<Files admin-ajax.php>
<RequireAll>
Require all granted
# Block unauthenticated wpbdp_ajax requests
# Note: This may affect legitimate plugin functionality
</RequireAll>
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
